github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:11:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): restrict default safe-bin trusted dirs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-24 23:12:52 +00:00
parent 2d159e5e87
commit b67e600bff
6 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/infra/exec-safe-bin-runtime-policy.test.ts
View File

@@ -89,4 +89,18 @@ describe("exec safe-bin runtime policy", () => {
expect(policy.trustedSafeBinDirs.has(path.resolve(customDir))).toBe(true);
expect(policy.trustedSafeBinDirs.has(path.resolve(agentDir))).toBe(true);
});
it("does not trust package-manager bin dirs unless explicitly configured", () => {
const defaultPolicy = resolveExecSafeBinRuntimePolicy({});
expect(defaultPolicy.trustedSafeBinDirs.has(path.resolve("/opt/homebrew/bin"))).toBe(false);
expect(defaultPolicy.trustedSafeBinDirs.has(path.resolve("/usr/local/bin"))).toBe(false);
const optedIn = resolveExecSafeBinRuntimePolicy({
global: {
safeBinTrustedDirs: ["/opt/homebrew/bin", "/usr/local/bin"],
},
});
expect(optedIn.trustedSafeBinDirs.has(path.resolve("/opt/homebrew/bin"))).toBe(true);
expect(optedIn.trustedSafeBinDirs.has(path.resolve("/usr/local/bin"))).toBe(true);
});
});